To configure an ACL MAC filter policy

Steps
 

Choose Policies→Filter→ACL MAC Filter from the NFM-P main menu. The ACL MAC Filter Policies form opens.


Click Create or select an existing policy and click Properties. The ACL MAC Filter (Create|Edit) form opens.


Configure the parameters as required.

The Default Action parameter specifies the action to be applied to packets when no action is specified in the MAC filter entries or when the packets do not match the specified criteria.

Note: NEs that support next-generation CLI use the policy name as the key identifier for internal system reference. For policies on these NEs, you must configure a policy name (typically the service name or a numerical string). Policy IDs are also supported. You must configure a numerical range on the NE for auto-assigned policy IDs; see To configure an Auto-ID range for policies.


If you need to configure the parameters on the Embedded Filters tab, refer to To configure an embedding filter with embedded filter policies .


Configure a filter entry.

  1. Click on the Filter Entries tab and click Create. The Entry, ACL MAC Filter (Create) form opens.

  2. Configure the required parameters.

  3. Click Select to assign a Log ID to the ACL MAC filter entry.

  4. Click Select in the Time Range panel to assign a time range for the ACL MAC filter entry or click Create to create a new time range. The Select Time Range - MacFilterEntry list form opens.

  5. Select a time range entry and click OK. The ACL MAC Filter (Create) form refreshes with the time range information.

    Note: ACL filters that include ACL filter entries to which you have assigned a time range cannot be assigned to a time of day suite policy.

    Time ranges with which you have associated a ACL filter within a time of day suite policy cannot be assigned to ACL filter entries of that ACL filter.

  6. Click on the Filter Properties tab.

  7. Configure the Primary Action parameter. The Entry, ACL MAC Filter (Create) form refreshes to display the parameters, panels, and tabs applicable to the option you choose. As examples, if you choose Forward (SAP), the Forwarding Destination tab appears, along with the PBR Down Action Override and the Hold Time (seconds) parameters; if you choose HTTP Redirect, the Redirect URL and Allow RADIUS Override parameters appear; if you choose Forward (ESI), then the PBR Down Action Override parameter and the Forwarding ESI Details tab appear.

    Note: The Forward (ESI) option provides the ability to steer traffic using an ESI value in an EVPN data center. The required traffic flow is identified using ACL IP, ACL IPv6, or ACL MAC filters, and then the action associated with the filter steers the traffic towards the service functions hosted on the EVPN data center.

    Forward (ESI) is supported only if a device is in chassis mode D (for those NEs that have chassis mode support).

  8. Configure the parameters associated with each Primary Action parameter option as required.

  9. Configure the remaining parameters on the Filter Properties tab as required.

    Note: Configuring a Secondary Action to specify multiple PBR/PBF targets provides redundancy and load-sharing capacities on steered traffic. Choosing a Secondary Action will also display additional sub-tabs and parameters that must be configured. You must configure a Primary Action before being able to configure a Secondary Action.

    The Source MAC, Src Mask, Destination MAC, Dst Mask, Dot1p, Dot1p Mask, Low ISID and High ISID parameter pairs are configurable when the check box for each pair is selected.

    The Low ISID and High ISID parameters are configurable when the MAC Filter Type parameter is set to ISID.

    The Inner Tag Value, Inner Tag VID Mask, Outer Tag Value, and Outer Tag VID Mask parameters are configurable when the MAC Filter Type parameter is set to VID.

    The DSAP, DSAP Mask, SSAP, and SSAP Mask parameters are configurable when the Frame Type parameter value is set to e802dot2LLC and the MAC Filter Type parameter is set to Normal.

    The SNAP OUI and SNAP PID parameters are configurable when the Frame Type parameter value is e802dot2SNAP and the MAC Filter Type parameter is set to Normal.

    The Ether Type parameter is configurable only when the Frame Type parameter value is set to Ethernet II and the MAC Filter Type parameter is set to Normal.

  10. Save your changes and close the form.


To add an additional filter entry, repeat Step 5.


To define the order in which the policy tries to match filter entries with packets, perform the following steps for each filter entry.

  1. Click Refresh to find an existing filter entry. The list of filter entries is displayed.

  2. Select a filter entry and click Renumber ID. The Renumber Entry ID form opens.

  3. Configure the New Entry ID parameter.

  4. Save your changes. The Entry ID column displays the new identifier assigned to the entry.


Save your changes. The ACL MAC Filter Policies form reappears.


CAUTION 

CAUTION

Service Disruption

Distributing a global ACL MAC filter policy with no filter entries (either because none have been created or all existing ones have been deleted) can cause a service outage. You should ensure that the policy has at least one filter entry, or you must be certain that distributing an empty policy is what you really intend to do. A global policy will be distributed to all of the policy local definitions.

If you attempt the manual distribution of an empty policy, two warning confirmations will be issued. The first warning is issued when you change the policy’s Configuration Mode on the General tab from Draft to Released. You can either choose to proceed by clicking Yes, or abort the Configuration Mode change by clicking No.

The second warning is issued if you changed the Configuration Mode to Released and then try to proceed with the actual distribution in the Distribute form. You can either choose to proceed by clicking Yes, or abort the distribution by clicking No.

If you attempt to release an ACL MAC filter policy that has been initialized from an NE, you will also receive a warning confirmation, since the global policy may be partially updated from the local policy. The Discovery State indicator on the General tab displays this Initialized condition, and the Origin indicator identifies the NE. You should manually synchronize with a specific local policy before changing the Configuration Mode from Draft to Released.

Click Search, select the policy in the list and click Distribute to manually distribute the policy locally to devices. See To release and distribute a policy for more information. Policies are also automatically distributed to devices when they are used by resources on the device.


10 

Close the ACL MAC Filter Policies form.

End of steps